No Slide Title
Download
Report
Transcript No Slide Title
ECE-8843
http://www.csc.gatech.edu/copeland/jac/8843/
Prof. John A. Copeland
[email protected]
404 894-5177
fax 404 894-0035
Office: GCATT Bldg 579
email or call for office visit, or call Kathy Cheek, 404 894-5696
Chapter 4a - Kerberos
Kerberos, v4 and v5
Provides a complete protocol for authentication and
secure communications for hosts connected by a data
communications network
•
Provides secure "tickets" to hosts that can be used
to initiate a secure message exchange
•
Standard message formats for encrypted and signed
messages, or signed plaintext messages
•
Formats for encoding expiration time, names, ...
•
Allows "read-only" slave KDC's (distributed KDCs)
2
Keberos uses Mediated Authentication
(with a Key Distribution Center, KDC )
Bob
Jack
Alice
Kbob
Kalice
Mary
Tom
KDC
Paul
Peter
Dick
Jip
Trudi
Harry
3
Alice
(human)
logs on
to
Alice,
(PC)
Alice
Alice PC
hashes
Alice's
passwork
to get a
DES Key,
Kalice=Ka
{Ka,{TGT;Kk};
Kak}
Alice wants
Bob,{TGT;Kk},
{time;Ka}
{Bob,Kab,Ticket
-Bob; Ka}
{time; Kab},
Bob has
Key
Dist.
Shared
Ctr
Secret Key
gen.s
with KDC,
Kab,
has
Kk
Kbob
{Kab,Alice; Kbob} ="Ticket"
{time + 1, Kab}
After the 1st exchange with the KDC, Alice has a
session key, Ka, and a "Ticket-Granting Ticket"
that she can use to request "Tickets" from KDC
•
PC erases Alice's password and Kak from disk and RAM.
•
Time(stamp) is used as nonce (seconds after 1/1/1970)
4
5
Host
Slave
KDC
Host
Host
Slave
KDC
Host
Host
Host
Master
KDC {db;Kmaster}
Host
Slave
KDC
Host
Host
Host
Realm
Slave
KDC
Slave
KDC
Host
• Replicated KDCs (slaves) are read only.
• Entire Host-KDC dasebase is downloaded periodically
6
KDC
(Hatter)
1
KDC
(Lion)
Lion
2
Alice
Realm
Wonderland
3
Dorothy
Lion can also be a
"principal" in
Wonderland (with the
Queen's OK)
Realm
Oz
Alice wants to talk to Dorothy
7
Plaintext Cipher Block Chaining (P
PCBC)
IV
m1
m2
m3
(+)
(+)
(+)
E
E
E
c1
c2
c3
Key
The 1st 64-bit message segment is XOR'ed with
an initial vector (IV). Each following message
segment is XOR'ed with the preceding ciphertext
and plaintext segments-for privacy & integrity .
8
Kerberos Message Integrity Check
(Message Digest)
MIC is Hash(<Ksession,message>)
The Hash algorithm was never published (but
source code can be obtained)
It is based on a checksum algorithm designed
by Juneman to use mod 2^31-1 (prime), but
changed to use 2^63-1 (not prime).
Cryptographers worry that it might be
breakable, or reversible (to get Ksession).
9
Network Layer (IP) Addresses in Tickets
Only 4 bytes available, so limited to Internet
Protocol (Novel, IBM, Appletalk, IPv6... longer)
Makes "spoofing" harder, IP address must be
stolen from network as well as Ticket from Alice.
Prevents delegation, giving the ticket to another
host to represent you (which is allowed by
Kerberos V5)
10
Why Study Kerberos v4
(Why doesn't everyone switch to v5)
Kerberos V4 is working well in many systems
Switching to V5 requires stopping the network
and upgrading every host at once before restart
Kerberos V5 is inefficient in some ways compared
to V4
•
Specified in ASN.1 (abstraction good and bad)
•
Example: 11 bytes required for 4-byte IP address.
11
Kerberos v5 Cryptographic Algorithms
Kerberos v4 used Plaintext Cipher Block Chaining
and modified Juneman hash
Kerberos v5 can use a variety of encryptions
(DES in practice) and hashes (MD4, MD5).
One primary MIC uses
• { confounder + MD5(confounder & message)}K'
•
K' = Kalice-bob (+) F0F0F0F0F0F0F0F0
A more modern MIC that is not used is
• MD5(Kalice-bob & message)
12
Password security
Originally UNIX stored a hash of each User’s password in a
globally readable account. This can be attacked by hashing
all common words for a reverse lookup table.
• Do not send in clear except over short secure channels
• Choose had to guess passwords, enforce.
• Force changing passwords periodically
• Avoid keeping password in memory longer than
necessary to generate the user's master key (w KDC)
•
Send hash of (key+nonce) to KDC for authentication
• Add salt before hashing passwords for pw database
•
Add realm name to password before hashing for pw db
13
Message Security and Integrity
Only exchange messages with authenticated hosts
Develop a session key and separate MIC key
using initial password exchange
Encrypt Diffie-Hellman exchanges to prevent
Bucket Brigade (man-in-middle) attacks.
Use MICs, especially with self-synchronizing
encryptions (e.g., PCBC) which survive
permutations of message blocks.
Get "random" numbers from true sources
Protect Master KDC Key and hashed-key database
14
Bonus
Entropy of Data, H
H = sum[i=1 to k]{Pi * log2(1/Pi)}
(bits of information per symbol)
Where:
k = number of states (or symbols)
Pi = probability of the i’th state (ni/N)
If the symbols are binary numbers with 8 bits:
H = 8 -> complete disorder or randomness
H < 8 -> some order (ASCII text, H = 4 - 5 bits)
15
Bonus - Encoding Text as Binary - ASCII
CONTROLS
0
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
NULL
SOH
STX
ETX
EOT
ENQ
ACK
BEL
BS
HT
LF
VT
FF
CR
SO
SI
DLE
DC1
DC2
DC3
DC4
NAK
SYN
ETB
CAN
EM
SUB
ESC
FS
GS
RS
US
NUMBERS
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
SPACE
!
"
#
$
%
&
'
(
)
*
+
,
.
/
0
1
2
3
4
5
6
7
8
9
:
;
<
=
>
?
CAPITALS
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
LOWER CASE
@
A
B
C
D
E
F
G
H
I
J
K
L
M
N
O
P
Q
R
S
T
U
V
W
X
Y
Z
[
\
]
^
_
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
`
a
b
c
d
e
f
g
h
i
j
k
l
m
n
o
p
q
r
s
t
u
v
w
x
y
z
{
|
}
~
DELETE
Examples: "A" = decimal 65 = 00100001, "z" =01111101
16